>> The way I read this, it seems to imply that if acl-bind is not set, the
>> identity specified by idassert-bind will be used -- which is clearly not
>> happening here. Am I misreading this, or do you think the wording should
>> be changed here?
>
> As far as I remember, the above is (or was) true in some cases (which I do
> not remember); in any case, the above statement is in contradiction with
> Howard's statement. Either the behavior stated above should be
> generalized (if desirable, in order to avoid the need to configure things
> twice when the same identity is going to be used), or the two should be
> decoupled everywhere in the code.
The current code in ldap_back_prepare_conn:
>>>>
#ifdef HAVE_TLS
if ( LDAP_BACK_CONN_ISPRIV( lc ) ) {
sb = &li->li_acl;
} else if ( LDAP_BACK_CONN_ISIDASSERT( lc ) ) {
sb = &li->li_idassert.si_bc;
} else {
sb = &li->li_tls;
}
if ( sb->sb_tls_do_init ) {
bindconf_tls_set( sb, ld );
} else if ( sb->sb_tls_ctx ) {
ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx );
}
/* if required by the bindconf configuration, force TLS */
if ( ( sb == &li->li_acl || sb == &li->li_idassert.si_bc ) &&
sb->sb_tls_ctx )
{
flags |= LDAP_BACK_F_USE_TLS;
}
<<<<
It seems the initial if/else belongs outside the #ifdef, first of all. Not
sure how to handle the fallback to li->li_tls.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/